Computer networks are often configured to incorporate network security systems in order to protect the networks against malicious activity. Such malicious activity can include, for example, deployment of malware that is utilized by attackers to create networks of compromised computers or “botnets.”
Network security systems can be designed to protect a computer network of a large enterprise comprising many thousands of host devices, also referred to herein as simply “hosts.” However, enterprise computer networks are in many cases continuously growing in size, and often incorporate a diverse array of host devices, including mobile telephones, laptop computers and tablet computers. This continuous growth can make it increasingly difficult to provide a desired level of protection using the limited resources of the network security system. For example, available network security system functionality such as processing of security alerts and deployment of attack remediation measures on host devices can be strained by the demands of large enterprise networks.
Moreover, recent years have seen the rise of increasingly sophisticated attacks including advanced persistent threats (APTs) which can pose severe risks to enterprises. These APTs are typically orchestrated by well-funded attackers using advanced tools to adapt to the victim environment while maintaining low profiles of activity. As a result, conventional credential-based authentication techniques and other traditional defences typically deployed by enterprise network security systems today often fail at detecting and remediating access anomalies at a sufficiently early stage.
With this in mind, and in order to address at least some of the above problems, some network security systems are configured to assess risk via grouping or clustering certain persons or users within the enterprise. For example, the network security systems as discussed above may cluster persons within the enterprise that on the face of it at least are associated with one another such that the behavior of one of the persons within the cluster can be compared to the others in the cluster. However, the difficulty with this approach is that it is not a trivial matter for the enterprise to ascertain if one person should be associated with another person. Suppose that two persons belong to the same division or department in the enterprise, it does not necessarily follow that the two persons behave similarly as they may work on different projects or have access to different sets of resources. If these persons were actually clustered then it is likely that any comparison would lead to an inaccurate picture since the persons most likely would behave in a very different manner Here, in this particular instance, the poor clustering leads to the inaccurate picture. This is undesirable.
There is, therefore, a need for further approaches to deal with these problems.